by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : November and December 2016
RICK BARNARD is head of Huddle’s U.S. Public Sector. Commentary | RICK BARNARD In recent months, members of industry and the media have loudly criticized the Federal Risk and Authorization Management Pro- gram. For example, security profes- sionals say FedRAMP’s security controls are not strong enough, and compliance alone does not ensure information security. Other critics say FedRAMP makes it harder for government agencies to move to the cloud. However, those criticisms are false and not deserved. Perhaps industry has lost sight of all that we in the federal IT sector have accomplished since FedRAMP was established. With- out it, there would be no standard controls or processes in place for government agencies to evaluate or share. FedRAMP saves significant time, money and resources, and it provides enhanced security visibility through standardized continuous monitoring reports and risk-based security management. We all owe a debt of gratitude for FedRAMP’s dedication in support of enabling federal — and state and local — agencies to adopt cloud ser- vices. Understanding the program’s impact is imperative. Here are four reasons why FedRAMP’s accomplishments should not go unnoticed: 1. FedRAMP offers multiple routes to authorization. Cloud service providers have three paths to authorization. The most com- monly used is to gain provisional authority to operate (ATO) from FedRAMP’s Joint Authorization Board. Alternatively, a company can be granted an ATO by an agency. Lastly, although no companies have used this method to date, a CSP can work with a FedRAMP- accredited third-party assessment organization (3PAO) to complete all required documentation, testing and security assessments. Costs tend to vary widely depending on the path, but all the approaches result in the same end goal: FedRAMP authorization and an opportunity to sell cloud products and services in the federal market. 2. FedRAMP encourages built- in security. There is a significant investment required for companies to meet the government’s secu- rity standards, as there should be. It takes time and money, but the size of that investment depends on how prepared a company is before embarking on the FedRAMP pro- cess. Services built with government security at their foundation can make it through FedRAMP approval much faster and at much lower costs than commercial services that must be retrofitted. 3. FedRAMP makes it easy for agencies to share ATOs. CSPs go through the FedRAMP process only once. Government agencies have different information standards and requirements, and therefore, each will want to review a CSP’s ability to meet those needs. Fortunately, the FedRAMP portal offers a quick and easy way for government officials to review a CSP’s FedRAMP package, 3PAO assessment results, ATO let- ters from other agencies and more. 4. FedRAMP has broad appeal. FedRAMP is expanding beyond only serving the federal govern- ment, with state and local agencies showing interest in the program. California officials are currently awaiting approval to use FedRAMP to minimize the risk to state data and constituent information and as a way to provide those constituents with a secure platform. Many other state and local gov- ernments are beginning to follow in California’s footsteps, showing early indications of FedRAMP’s long-term accomplishments. Although FedRAMP has devel- oped fast, it has remained com- prehensive. It has also served the intended goal of qualifying gov- ernment-ready service providers and sharing ATOs across agencies. Its accomplishments are real and should not be tarnished by those who are not ready or who want to make noise for financial gain. n Think FedRAMP is a bottleneck? Think again. The Federal Risk and Authorization Management Program deserves praise, not criticism, and here are four reasons why FedRAMP saves significant time, money and resources, and it provides enhanced security visibility. 10 November/December 2016 FCW.COM 1216fcw_010.indd 10 11/3/16 1:41 PM
January and February 2017